China Launch MitM attack on Google

The non-profit organization GreatFire revealed something new and a nasty thing today, as the report posted on the blog reveals that Chinese government is running a Man-in-Middle attack (MITM) on SSL encrypted traffic between Chinese China Education and Research Network and Google.

As Chinese government had banned Google service through out the country in 2012, but the government allow access Google through the The China Education and Research Network (CERNET) only.

Accessing Google service through CERNET makes privacy and security experts fear that the Chinese Government is monitoring them and also surveillance user while accessing the Google service - GreatFire reports. Many of the time CERNET users have been observing warning messages related to use of invalid SSL certificates accessing Google and other Google services.

There is the possibility that Chinese authorities are running a man-in-the-middle (MitM) attack to eavesdrop encrypted traffic between CERNET and Google, which may leads to the invalid SSL notification.

And later on Greatfire have confirmed the MITM attack caused the indicates.

Why China attacked Google?

There is a clear incentive to implement a man-in-the-middle attack against Google. Google enforced HTTPS by default on March 12, 2014 in China and all over the world. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. This in turn means that the authorities cannot block individual searches on Google - all they can do is block the website altogether. But this not happened rather china have MITM attack which would serve their purpose of intercepting users.

Reports

The thesis sustained by GreatFire has been refuted by software vendor Netresec which has analyzed two of the packets used in the attacks, confirming that there is the Chinese Government behind the MITM attack.

Netresec researchers noted in a Greatfire blog post says -
“The Chinese are running a MITM attack on SSL encrypted traffic between Chinese universities and Google. We’ve performed technical analysis of the attack, on request from GreatFire.org, and can confirm that it is a real SSL MITM against www.google.com and that it is being performed from within China.”

“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,”

What Should You Do?
If you are also having the same type of issue then we recommend our users never click through when you see a certificate warning. You should use Firefox or Chrome as these browsers won’t even allow you to click through the warning for websites that use HSTS (like Google and Github). If you click through the warning, your Google account credentials can be stolen, which means all your Gmail can be read by the attacker.